英文:
Hashicorp Vault: Python hvac does not see secrets
问题
我正在尝试使用HashiCorp Vault
与hvac
Python客户端。
我已经在本地运行了Vault的Docker容器(开发模式配置),创建了一个KV秘密引擎kv1
(使用版本1 API),添加了一个秘密mega_secret
,并添加了一个键/值("hell" --> "yeah"
),然后尝试使用hvac
来读取它。
首先,让我们进入Docker容器终端,检查秘密是否存在:
# vault kv get kv1/mega_secret
==== Data ====
Key Value
--- -----
hell yeah
现在我正在尝试使用hvac
来读取它。
import hvac
client = hvac.Client(url="http://localhost:8200", token="hvs.4MzADdB9pIHAggqaQWQZASx0", namespace="")
assert client.is_authenticated()
assert not client.sys.is_sealed()
print(client.kv.v1.read_secret(path="kv1/mega_secret")) # 这里会发生崩溃
错误信息:
hvac.exceptions.InvalidPath: no handler for route "secret/kv1/mega_secret".
route entry not found., on get http://localhost:8200/v1/secret/kv1/mega_secret
如何修复它?
英文:
I'm trying to use HashiCorp Vault
with hvac
Python client.
I've run vault docker container (development mode config) on localhost, created a KV secret engine kv1
(with version 1 API), added a secret mega_secret
, added a key/value ("hell" --> "yeah"
) it it and tried to read it with hvac
.
At first, let's go to docker container terminal and check that the secret is alive:
# vault kv get kv1/mega_secret
==== Data ====
Key Value
--- -----
hell yeah
And now I'm trying to read it with hvac
.
import hvac
client = hvac.Client(url="http://localhost:8200", token="hvs.4MzADdB9pIHAggqaQWQZASx0", namespace="")
assert client.is_authenticated()
assert not client.sys.is_sealed()
print(client.kv.v1.read_secret(path="kv1/mega_secret")) # Here will be crash
Error message:
hvac.exceptions.InvalidPath: no handler for route "secret/kv1/mega_secret".
route entry not found., on get http://localhost:8200/v1/secret/kv1/mega_secret
How can it be fixed?
答案1
得分: 2
Vault可以多次挂载相同的秘密引擎,每个引擎都有自己的挂载点。您选择使用kv1
,这没有问题。
HVAC默认假定`secret是挂载点的名称。
您可以通过指定挂载点来读取您的秘密,如下所示:
client.kv.v1.read_secret(mount_point="kv1", path="mega_secret")
英文:
Vault can mount the same secret engine multiple times, each on its own mount point. You have chosen to use kv1
, no problem with that.
HVAC assumes that secret
is the name of the mount point by default.
You will be able to read your secret by specifying the mount point like this:
client.kv.v1.read_secret(mount_point="kv1", path="mega_secret")
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论